Attackers Use Fake Friends to Blend into Facebook

Barracuda Labs Unveils New Research Study Analyzing Facebook Profiles

View the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.

Campbell, Calif. (February 2, 2012) – Barracuda Networks, a leading provider of security, networking and data protection solutions, today released findings from Barracuda Labs’ most recent study, Facebook: Fake Profiles vs. Real Users. The study analyzes a random sampling of 2,884 active Facebook accounts to identify key differences between average real user accounts and fake accounts created by attackers and spammers. The results of the study are being presented today at the 2012 Kaspersky Threatpost Security Analyst Summit in Cancun, Mexico.

Facebook, which filed for IPO this week, has become an important part of personal and business communication. The company consistently fights to keep attackers out of its network, most recently announcing its lawsuit against a marketing firm accused of “spreading spam through misleading and deceptive tactics”. The Barracuda Labs study provides yet another example of this “arms race” as an increasing number of attackers move to social networks to carry out their wares.

Highlighted findings from the Barracuda Labs study include:
•    Almost 60 percent of fake accounts claim to be bisexual, 10 times more than real users
•    Fake accounts have six times more friends than real users, 726 versus 130
•    Fake accounts use photo tags over 100 times more than real users, 136 tags per four photos versus one tag per four photos
•    Fake accounts almost always (97 percent) claim to be female, as opposed to 40 percent for real users

“Likes, News Feeds and Apps have helped lead Facebook to its social network dominance and now attackers are harnessing those same features to efficiently scale their efforts,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “These fake profiles and apps give attackers a long-lived path to continuously present malicious links to innocent users.

“Also, researchers have shown how friending malicious accounts can lead to account takeover using Facebook’s trusted friend account recovery,” Judge continued. “We have analyzed thousands of fake accounts to determine features and patterns that distinguish them from real users, and created a feature-based heuristic engine to distinguish real users from fake profiles.”

The study analyzes data collected from Barracuda Profile Protector, a free tool that analyzes and blocks malicious activity on Facebook and Twitter, along with public data collected from streams and network crawling to demonstrate how users typically operate. The study illustrates how attacks on Facebook are structured to exploit the “friendship” concept and trust of widely-used applications. A variety of machine learning techniques are used to analyze shared URLs, profile images, profile information, and connections with other users to reveal associations, weak and strong, between malicious users.

Resources:
•    Download the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.
•    View the Barracuda Labs security research portal at http://barracudalabs.com.
•    Install Profile Protector at http://ProfileProtector.com.
•    Follow Barracuda Labs on Twitter at @barracudalabs

About Barracuda Labs
Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. The team evaluates the threat ecosystem and creates security intelligence to defend Barracuda Networks customers. Barracuda Labs’ threat research areas, which include email, Web, network and cloud security and technology, are designed to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime. For more information, please visit www.barracudalabs.com.

About Barracuda Networks Inc.
Barracuda Networks combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content and network security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International Headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

###

Amnesty International’s UK website has been compromised and is serving drive-by downloads. Historical data indicates the website AIUK was compromised on or before Friday, December 16.

Details:

Visiting hxxp://www[.]amnesty[.]org[.]uk loads hxxp://3max[.]com[.]br/cgi-bin/ai/ai.html via an iframe. 3max.com.br, which itself is a legitimate but compromised Brazilian automotive website, loads malicious Java content (stolen from the Metasploit project), which targets CVE-2011-3544. If the exploit is successful, malware is installed on the visitor’s system.

Details of Vulnerability Targeted by the Exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
VirusTotal Detections for Exploit
http://www.virustotal.com/file-scan/report.html?id=1cc214cee10f02d37359c0e3d04fd57899333c4b1eaa81489c74e5c2fa17c3a8-1324068153
VirusTotal Detections for Exploit Payload
http://www.virustotal.com/file-scan/report.html?id=0e53832e1c36d34a3d05c05f73ebab22a74ade95c5f3b7d9f74fad4f56d10023-1324067892

The exploit payload possesses properties of targeted malware but is being served by an exploit of a popular, public website. The working theory for this anomaly relates to Amnesty International as a human rights non-governmental organization. To explain, certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists. Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.

Amnesty International UK has been notified about the compromise.

Here’s something we hear regularly at Barracuda Labs…

“My mom called me and said that someone posted something bad on her facebook.  How did they do that? What should I tell her?”

Our two-part answer is simple.  First, mom probably clicked on something and unwittingly gave it permission to post to her wall.  Second, there is always a possibility that mom had her password stolen.   She should change her Facebook password at once, as well as change the password on any service where she might have used that same password.

Facebook passwords do get stolen.  Below is one example of how that happens.

It starts with a message like this one that spreads from one wall to another.

Clicking on the link in the message opens up what looks like a Facebook login page.

(click to open full-size image)

Facebook will pop up a login page in certain situations to make certain that you are properly authenticated.   In this case the login page is entirely fake and is not part of Facebook at all.

Suppose you were in a hurry and didn’t take time to look at the URL of the page.   If you fill in your information and press the Login button, here’s what happens:

(click for full-size image)

As you can see in the image, your exact username and password are sent off to the Russian domain.   Once this is done, the browser is sent to a Facebook themed ‘survey’ site.

(click for full-size image)

These ‘survey’ sites offer some gift in exchange for participating in an endless cycle of marketing schemes, many of which ask for personal information and none of which ever deliver the the promised gift.

The remaining question is why criminals steal Facebook passwords

and there are three good answers.

1. Personal information on your Facebook account can be used to piece together full-fledged identity theft.

2. A stolen Facebook account is the perfect vehicle for carrying out the Stranded Traveler scam.

3.  Survey scammers such as the ones shown here have to start their viral campaigns somewhere, and a stolen account, with its hundreds of trusting friends, is the perfect place to start.

With the new Facebook Timeline rolling out this week, users should be particularly careful with the personal information they make available on their pages.  As always, Barracuda Networks recommends that you be cautious with what you click on and change your password regularly as a matter of course.

Apple Chairman Steve Jobs passed away on October 5, 2011. We all share in the sadness of losing such a technology leader, visionary and innovator. Steve impacted our lives in a multitude of positive ways, through his spirit, his creativity and the word-class products he brought to market. Apple’s offerings are both mainstream tools and sources of joy – solving problems and brightening lives everyday, all over the world.  We wish for peace for Steve Jobs and his family.

Unfortunately while many are mourning, others are trying to take advantage of them. Only 24 hours after Jobs’ death spammers began sending insensitive emails claiming otherwise.

Spams like these capitalize on their shock value. The senders hope that you will be curious just long enough to let down your guard and click on the link.

By now we should all know that these links lead to no good.  Merely clicking on the link in one of these emails leads to a compromised website which redirects the browser multiple times, in some cases finally delivering it to a host serving up the BlackHole exploit kit.

Barracuda Labs is seeing more and more instances of spam linking to servers hosting these exploit kits.   They are increasingly popular with malware distributors because a link has been clicked no further user interaction is required to install their payload.

It saddens us to see these  emails in our honeypots.   Don’t let the amoral scum who send these things take advantage of you. If you see them, delete them right away.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Yesterday reports began to trickle in that Google users in Iran were victim to a man-in-the-middle attack through the use of an illegitimate SSL certificate issued for “*.google.com”.  This is the latest in a series of events involving a hacked Certificate Authority, but this time there was clear evidence that the fake certificate was being actively used.  Details of the attack and consequences are being written about extensively elsewhere, so we will give a brief overview and link to those directly involved and others with particularly insightful analysis.

The certificate being used was issued by a Dutch certificate authority, DigiNotar. The consequence is that this CA has essentially been given the “death penalty”. Microsoft, Mozilla and Google have removed the DigiNotar root certificate from their chain of trust and certificates signed by them will have no more trust than one you generate yourself.  It is good to see that those who have the strongest position when choosing which certificate authorities to trust are doing the right thing here, with a technology that so many people rely on for security, privacy and economic reason a “one strike and you’re out” system is appropriate.  With each attack similar to this one, we see that the current system of Certificate Authorities is quite open to abuse with the combination of centralized and opaque trust.  Compromises of that trust can have severe consequences.  The system is clearly broken, and while some are working on replacement solutions, it is what we have to use in the mean time.

Users are advised to remove the DigiNotar root certificate.

Firefox:
http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

Chrome:
http://googlechrometutorial.com/google-chrome-advanced-settings/Google-chrome-ssl-settings.html

IE:
Some newer versions of Windows seem to be automatically checking a CRL and therefore are able to provide protection without a software update: “All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certificate authority. There is no action required for users of these operating systems because Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List.”

However older versions of Windows do not provide automatic protection:” Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.”

http://www.microsoft.com/technet/security/advisory/2607712.mspx

The DigiNotar root will be being removed from relevant Barracuda Networks products.

Further reading:

Google Online Security Blog: An Update on Attemped Man-in-the-Middle Attacks

DigiNotar Response: Diginotar Reports Security Incident

EFF: Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities

Tools/Possible SSL Alternatives for advanced users:

Certificate Patrol for Firefox

Convergence

We see a lot of spam at Barracuda Labs.  Sometimes they’re as simple and straightforward as a Viagra ad, but just as often they can be as serious and as devastating as an urban mugging.  We’ve been watching one of those muggings play out over the past few days, and it has reminded us that spam is nothing to take lightly.

Early on the morning of August 23 the spam monitors at Barracuda Labs started detecting a large number of emails claiming to be from LinkedIn.  The quantities were significant, tens of thousands an hour, and these were pretty convincing messages.

As convincing as they may be these emails have nothing to do with LinkedIn.  The from address is fake and the “Follow this link” hyperlink leads to one of a set of recently registered domains deliberately set up to serve malicious content

Most of these sorts of spam attacks simply link to a malware file which the browser then downloads and offers to run. If an antivirus doesn’t intercept such a file then Windows will ask for permission to run it and it is easy enough to say no.

But this attack is different and much more serious. Each of the malicious domains such as linkedin-reports.com or linkedin-alert.com hosts an exploit kit, a set of malicious payloads that quietly attempt to take advantage of weaknesses in the Web browser and its helper applications.

Clicking on the “follow this link” hyperlink in the message doesn’t appear to have any effect. Nothing seems to happen; however there is a lot going on behind the scenes.

Below is what the behind-the-scenes network traffic looked like.

(Click for larger image)

This traffic capture shows a series of attacks against Internet Explorer (1), against the Adobe PDF reader plug-in (2) and finally against Windows Media Player (3).  Eventually these exploits result in the download of Trojan.Jorik (4).

Trojan.Jorik is a password stealer which gets right to work, periodically checking in with its command and control server (5).

After contacting the control server the Trojan contacts another server (6) for an interesting – and somewhat scary – configuration file.

(Click for larger image)

These password-stealing Trojans are programmed to insert themselves into the browser stack and can intercept login pages even before they are encrypted by HTTPS.  The list above shows the services that the Trojan is being configured to monitor.  There is more configuration that is not shown in this graphic – pages of HTML code snippets to be injected into login pages. When a login page for one of the monitored sites is displayed, the corresponding code snippet is added to the page. These code snippets ask for additional security questions or special passwords, information the password thieves want but questions that the legitimate login page does not ask.

Having your online banking credentials stolen is serious stuff, especially if the credentials belong to an organization or business with a hefty bank balance.  Consider the most recent story from Brian Krebs about the Cyber Theft of $217,000 from a nonprofit in Nebraska.

With so much spam circulating through email servers worldwide, it is easy to become insensitive to the very real danger that  truly malicious spam poses.  Never let down your guard, and never ever follow links in emails even if they appear to be official looking. As you can see from this example, one click can be all it takes.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Coders get a bum rap about code quality with regard to security.  Some of the berating is deserved, like when they try to roll their own crypto algorithms (these people should get the 21st century equivalent of stocks in the public square and rotten fruit pelted at them), but other times it is much more subtle and things that an “end user” coder shouldn’t have to worry about at all.

Success in increasing code quality comes from making it very difficult for a developer to do the wrong thing, making sure that the path of least resistance is also the most correct path.  Unfortunately as some programming languages have come to be used as much by designers and artists than the more mathematically included coder of old, a mindset of working around the coder and giving them results that they expect rather than what they’ve asked for has become common.  This leads the developers to think they’re doing the right thing, while actually shooting themselves in the foot.  A friend of mine (hat tip to @suburbsec) pointed me to a very good example of this the other day on one of spotthevuln.com’s latest entries.

if ( (int) $_REQUEST['w'] && (int) $_REQUEST['h'] ) {

 $choice = array(

 'type'   => "Custom size ({$_REQUEST['w']}x{$_REQUEST['h']})",

 'width'  => $_REQUEST['w'],

 'height' => $_REQUEST['h']

 );

}

...

<iframe src="../../../wp-login.php"
        width="<?php echo $choice['width']; ?>"
        height="<?php echo $choice['height']; ?>"
>your browser does not support iframes.</iframe>

Anyone with a bit of programming knowledge can see that the developer is writing this bit of code with security in mind, testing to make sure that the parameters w and h are indeed string representations of integers before displaying them.  Otherwise they wouldn’t cast to an int, right?  Wrong.  Perfectly valid assumption, but it doesn’t hold true in the land of PHP (a place where black is white, cats and dogs live together, and notions of computational science have no place).

$_REQUEST['w'] and $_REQUEST['h'] still retain the same values as before the int cast, as they should, but if they contain values like “11<bad juju here>” the cast would still return an integer value, 11, and the script is now a funhouse for, admittedly lame, reflected xss.  Another interesting side effect of this function is that either of the variables is “0″ – which last time I checked is still an integer. The test fails as a side effect of the test being done in a boolean context and not a type context.  In this case, the result is a trivial xss bug but similar snippets can be pulled from many codebases that lead to all sorts of problems with the developers honestly believing they’ve performed all the reasonable steps to ensure input validation.  For this particular problem, a much better approach would be to use the is_numeric function for testing or to assign the value of the cast to the variable you’ll be using later, but you’d have a tough time figuring that out by searching for “php string to int”.

It needs to be difficult for the coder to deliver a working product while holding onto false assumptions, and it is up to the languages, frameworks, and development tools to make that more of a reality. Less “more than one way to do it” and more “this is the right way to do it” would go a long way to towards making web security less of a trainwreck than it currently is.

Launching a new Web app today comes with a few certainties, and one of them is, “I will be a target for hackers” for sure.  So when an app as large and as high profile as Google+ launches, it will surely be one of the top targets for malicious activity.  This happened to Facebook the more popular it grew and it still is a favorite platform for malicious activity.  I did some analysis of the HTTP traffic between Google+ and the browser and found that Google is off to a good start in regards to browser security. Below are several take-aways:

Only SSL!
All Google+ traffic is sent over SSL and non SSL is not even an option.  This protects users’ traffic from getting sniffed and their sessions from being hijacked.  It is good to know that Google understands that sensitive information is being shared and SSL is really the only option for transmitting data.

Secure Headers
Here is what a typical response looks like from Google+:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 184942
Set-Cookie: ULS=somehash; Path=/; Secure; HttpOnly
Date: Fri, 15 Jul 2011 14:29:05 GMT
Expires: Fri, 15 Jul 2011 14:29:05 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

There are a few headers in this response that are specific to browser security, for example:

Set-Cookie Secure – This tells the browser to only send cookies over a secure (SSL) connection.  So if the site happens to hit a page that is not SSL, then the cookie will not be sent.

Set-Cookie HttpOnly – This prevents the cookie from being accessed by client side script.

Both of these cookie attributes help to prevent  session hijacking by only sending cookies when appropriate.

X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type.  For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image.  So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html.

X-Frame-Options: SAMEORIGIN – This tells the browser to only render frame pages from the URL hosting the main page.  This prevents Clickjacking attacks against the user.  Clickjacking is a browser-based attack that tricks the user into clicking on one thing but then performs a different action, such as following a user on Twitter.

X-XSS-Protection: 1; mode=block – This allows the browser to detect a cross site reflection attack.  If the browser sees a potential reflection attack, it will prevent the page from rendering in the browser.  Instead, you will see something similar to this depending on the browser:

What about Facebook?
While these preventions are by no means ground breaking or new, the fact that Google is thinking about and using them is a good step.  In contrast, let’s look at a typical Facebook response:

HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Content-Type: application/x-javascript; charset=utf-8
Expires: Fri, 22 Jul 2011 14:46:37 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
X-Frame-Options: DENY
Set-Cookie: _e_syaN_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
X-FB-Server: 10.52.238.45
X-Cnection: close
Date: Fri, 15 Jul 2011 14:46:37 GMT
Content-Length: 24032

It is surprising that Facebook has not taken the same simple precautions that Google+ has taken. Here, we can see the differences:

In fact, just yesterday Microsoft’s Vulnerability Research team released advisory MSVR11-007: “Clickjacking Vulnerability in Facebook.com Could Allow Account Compromise”.   According to the advisory, Facebook has resolved the issue.  I did another check of the headers and still did not see any change to the response.  It is possible that Facebook closed the hole on the server side with input validation in order to prevent the malicious data from entering their database, but they still did not implement the simple browser precautions that Google+ has.   Here is the link to the official MSVR advisory:
http://www.microsoft.com/technet/security/advisory/msvr11-007.mspx

The folks from SecTheory/WhiteHat Security have an excellent write-up on Clickjacking.  For detailed information on this vulnerability visit:
http://www.sectheory.com/clickjacking.htm

Conclusion
Unfortunately, not all of these headers are supported in all browsers, meaning any of you still using IE6 won’t be able to take advantage of these headers.  What’s this mean for you? Make sure you are using an up-to-date browser to take full advantage of these protections.

Do these security measures make Google+ impervious to malicious activities?  Absolutely not.  Is it a good start?  Yes, it is. And further, it is good to see an app make its debut with security in mind.  It actually gives us Infosec folks a bit of hope that developers are listening and doing the right thing.

A common denominator of Facebook scams is that they offer you something you can’t resist.  Whether it be free Farmville coins, a ‘Dislike’ button, or just a girl in a short plaid skirt, if it’s desirable then you’ll eventually see it offered on Facebook as part of a scam.

And so it is with the latest must-have digital chotchka, an invitation to the new social networking offering from Google, Google+.  Since Google’s new project is aimed squarely at Facebook you would hardly expect to see such invitations offered on Facebook, but that’s where they’re showing up

Google Plus invite in Facebook news feed

Clicking on one of these news feed items brings up an actual Facebook application page.    These app pages are being taken down by Facebook and scammers are creating new ones, as seen here:

Facebook fake Google plus invite application

The reason for selecting an application for this scam is that applications can, if allowed, access otherwise private information from your Facebook profile.   That’s just what this app does.  Clicking on any of these links takes you to a page where the application requests permission to access your Facebook data, and it really does ask for quite a bit

Permissions request

This appears to be the entire point of this scam – email and account data harvesting.  The only other thing the application does is to spread to your friends.   First you are asked to ‘Like’ the app, which will cause it to appear in your friends’ news feeds.

"Like" step

Then, just in case items from you don’t appear in your friends’ news feeds, there is one more step: you are asked to explicitly send “invites” to your friends.

Fake "invite" step

Instead of actually sending invites, you’re sending Facebook requests that will appear in the notification queue of each friend you select.

Once you are past this point you wind up on the Google+ home page, and when you try to log in – surprise – you haven’t been invited.

As always, we at Barracuda Networks recommend that you approach any wall post that appears in your news feed with great caution.   If they seem to be too good to be true, double-check with the person whose name appears on the post.  Additionally,  Barracuda Web Filters give IT departments the ability to selectively block Facebook within the organization.

Fake antivirus scams are designed to scare innocent computer users with exaggerated displays of virus activity in the hope that they will hand over their credit card numbers to make it go away.   They’ve been around for years and the most prevalent ones use a freely available JavaScript design that mimics the Windows user interface, as seen here:

Fake Antivirus that mimics Windows

When these pages pop up on Macintosh computers, it’s immediately obvious that something isn’t right.

Last quarter, Apple set a new record (3.47 million sold in the quarter) with a growth rate of 33% over the prior year’s quarter.  Apple has about 10% of the computer market in the United States, and that doesn’t even include iPads.

That market share has been noticed by the fake antivirus scammers, and this week they have added a new JavaScript design that mimics the Macintosh interface, as seen here:

Fake antivirus that mimics Macintosh

Drive-by download sites now serve up this page if they detect access from a MacOS computer while Windows users still see a Windows style page.   The example above is called “Apple Security Center” but similar templates have been seen named MacDefender.

Since this is just JavaScript, the correct move at this point is to refuse the download and browse elsewhere.  Accepting the download and running it installs “Mac Protector” which displays pornographic images and promises to remove them for a credit card payment.

The initial infection vector is poisoned entries in Google search results.  We’ve talked extensively about poisoned search results and this represents another example of where otherwise normal Web sites are compromised and made to serve up bogus pages that are well ranked by Google. When one of these links is clicked, the compromised Web site detects a visit from Google search results and sends the visitor to a server that presents the fake antivirus. The recent change in Google content ranking has not stymied these attacks – the malicious link we tested was on page 1 of our search results:

Malicious link in Google results

Past Search Engine Optimization campaigns targeted very popular search terms such as celebrity sightings or breaking news events.  The poisoned links mentioned in this post are more likely to show up in the results for more mundane search terms so as to attract less attention, but they’re still getting plenty of traffic.

This is turning out to be a big problem for Apple. It has been conventional wisdom for years that one of the simplest Internet security solutions is to “just buy a Mac” and stop worrying.  Now that the most common drive-by attack vectors are serving up malware, unwary Mac users are being exposed to the harsh world that Windows users have dealt with for years, and are going to have to learn the same lessons.  Don’t believe everything that pops up on your screen, and don’t run any software unless you know where it came from and what it will do.

Barracuda Networks Barracuda Web Filters and the Barracuda Web Security Flex stop the download of this threat.